CVE-2026-49495: Ghidra Denial of Service via Malicious Mach-O Export Trie
Ghidra, the NSA's reverse-engineering framework, contains a flaw that can crash the entire application when you open a specially crafted Mach-O binary file. The problem stems from how Ghidra parses export information in these binaries—if an attacker creates a file with circular references in its export structure, Ghidra will get stuck in an infinite loop, consuming memory until the Java runtime runs out and terminates. This causes the loss of any unsaved work in the active Ghidra session.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-835
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-07-14
NVD description (verbatim)
Ghidra 10.2 before 12.1 contains an uncontrolled resource consumption vulnerability in ExportTrie.parseTrie() that lacks cycle detection when traversing Mach-O binary export tries. A crafted Mach-O binary with circular references in the export trie causes unbounded queue growth and exponential string concatenation, triggering OutOfMemoryError that crashes the entire JVM and loses all unsaved work.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-49495 is an uncontrolled resource consumption vulnerability in the ExportTrie.parseTrie() function within Ghidra versions 10.2 through 12.0. The vulnerability arises from insufficient cycle detection when traversing Mach-O binary export tries. A maliciously crafted Mach-O binary containing circular references in the export trie data structure triggers unbounded queue growth and pathological string concatenation during parsing. This exhausts heap memory, ultimately causing an OutOfMemoryError that crashes the JVM process hosting the Ghidra analysis session. The underlying weakness is classified as CWE-835 (Loop with Unreachable Exit Condition).
Business impact
For security teams and reverse-engineers relying on Ghidra for malware analysis, firmware inspection, and vulnerability research, this vulnerability introduces operational risk. Opening an untrusted or compromised Mach-O binary—whether discovered in the wild, received from a partner, or obtained during incident response—can abruptly terminate Ghidra and destroy the analyst's working session and unsaved analysis notes. In environments processing high volumes of binaries or conducting time-sensitive investigations, this denial-of-service effect can disrupt workflow, delay threat assessment, and reduce analyst productivity. The impact is amplified in organizations lacking disciplined checkpointing and version control practices for analysis work.
Affected systems
Ghidra versions 10.2 through 12.0 are affected. Organizations using Ghidra 12.1 and later are not vulnerable. The vulnerability is specific to parsing Mach-O binaries (the executable format used by macOS and iOS); analysis of other binary formats (ELF, PE, COFF) is unaffected. Any deployment of Ghidra—whether standalone on analyst workstations, integrated into automated analysis pipelines, or running in containerized environments—can be targeted if it processes untrusted Mach-O files.
Exploitability
Exploitation requires user interaction: an analyst must open a crafted Mach-O file within Ghidra. There are no prerequisites for authentication or elevated privilege. The attacker's capabilities are limited to denial of service; the vulnerability does not permit code execution, information disclosure, or persistence. From an attacker's perspective, the barrier to exploitation is low—constructing a Mach-O binary with a circular export trie is a well-defined programming task—but the attack only succeeds if the target analyst processes the malicious file. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating no confirmed active exploitation in the wild as of the publication date.
Remediation
Update Ghidra to version 12.1 or later. NSA's Ghidra releases are available from the official GitHub repository and through integration with package managers in some Linux distributions. Organizations should validate the integrity of downloaded releases using cryptographic signatures provided by NSA. As an interim mitigation, organizations unable to upgrade immediately should restrict analysis of untrusted Mach-O binaries to isolated, sandboxed environments and implement process monitoring to detect memory exhaustion; however, this does not prevent the crash itself, only limits collateral damage. Analysts should enforce a discipline of frequently saving work to version control or automated snapshots.
Patch guidance
Verify that your deployment is running Ghidra 12.1 or later. Check the version displayed in Ghidra's Help > About menu or via command-line flag (ghidra_10.1.0/bin/ghidra --version or equivalent). Download the patched release from the official NSA Ghidra GitHub releases page and follow NSA's documented installation procedure for your operating system (Windows, Linux, macOS). If you have customized Ghidra plugins or scripts, test them against the new version in a non-production environment before full deployment. For organizations using Ghidra as part of an automated analysis pipeline or container image, rebuild your container image and redeploy to all instances.
Detection guidance
Monitor for OutOfMemoryError crashes in Ghidra processes, especially correlating crash timestamps with loading of Mach-O binaries. Analyze Ghidra's debug logs (enable verbose logging via Ghidra's preferences if available) for repeated warnings about export trie traversal or memory pressure. In sandboxed or containerized environments, observe process resource graphs for sudden, sustained memory consumption spikes that precede process termination. If Ghidra is integrated into an automated pipeline, instrument the pipeline to catch non-zero exit codes from Ghidra child processes and log the binary file that triggered the failure. Retroactively, you cannot easily detect if an analyst opened a malicious binary (unless process execution logging captured the file path), but you can detect the crash event itself in system or application logs.
Why prioritize this
This vulnerability merits timely patching because it affects a widely-used open-source security analysis tool, the barrier to crafting a malicious Mach-O is low, and the impact on analyst productivity is direct and obvious. However, its CVSS score of 5.5 (Medium severity) and the requirement for user interaction mean it should not displace critical or high-severity vulnerabilities from the patch queue. Prioritize this upgrade if your organization regularly analyzes Mach-O binaries (e.g., teams focused on iOS or macOS malware, security firmware analysis) or if Ghidra crashes have already been observed in production. For organizations analyzing primarily Linux or Windows binaries, this can be addressed in the next quarterly patch cycle.
Risk score, explained
The CVSS 3.1 score of 5.5 reflects a Medium severity profile with an important caveat: the score assumes 'User Interaction Required' (UI:R) and measures impact only as availability loss (A:H). Attack Vector is Local (AV:L), meaning the attacker must place or socially engineer delivery of a malicious file to the target. Attack Complexity is Low (AC:L)—constructing the malicious Mach-O is straightforward. Confidentiality and Integrity are unaffected (C:N, I:N). The score accurately captures denial of service to a single analyst's session but does not quantify the organizational workflow disruption, loss of analysis notes, or incident response delays. In security-critical environments, the contextual risk may exceed the base CVSS score.
Frequently asked questions
Can an attacker exploit this remotely, or does the malicious file have to be delivered locally?
The vulnerability requires local user interaction—the analyst must open a crafted Mach-O file in Ghidra. However, 'local' does not mean the attacker needs physical access to the analyst's machine. The malicious binary can be sent via email, placed on a shared drive, hosted on a web server, or embedded in a third-party sample repository. Once downloaded and opened in Ghidra, it triggers the crash.
Does this vulnerability allow an attacker to steal data or execute code on the analyst's machine?
No. The vulnerability causes only a denial of service—Ghidra crashes, ending the JVM process. There is no code execution, data exfiltration, or persistence. An attacker cannot use this flaw to pivot to other systems, steal cryptographic keys, or compromise the analyst's workstation; it is limited to crashing Ghidra and causing the loss of unsaved work.
My organization uses Ghidra for Linux and Windows binary analysis only. Do we need to patch?
This particular vulnerability affects only Mach-O parsing, so if your workflow does not include iOS or macOS binaries, your exposure is minimal. However, Ghidra may still parse Mach-O headers incidentally during format auto-detection. Best practice is to upgrade anyway, as Ghidra 12.1+ likely includes other bug fixes and security improvements unrelated to this CVE.
What should we do if a Ghidra process has already crashed in production?
First, determine if a Mach-O binary was open at the time of the crash by reviewing file paths in the analyst's workspace, recent file access logs, or Ghidra's recovery files. If yes, quarantine that binary and do not reopen it until you have upgraded. Recover the analyst's work from the most recent saved snapshot or version control backup. Then upgrade Ghidra to 12.1+ across your environment.
This analysis is for informational purposes and does not constitute legal, compliance, or professional security advice. Organizations should conduct their own risk assessment and testing before applying patches. The CVSS score and vulnerability details are derived from the official CVE record and NSA advisories; verify all technical claims against the vendor's official documentation. Patch deployment should follow your organization's change management and testing procedures. This vulnerability is not currently listed in CISA's KEV catalog, but status may change as new information emerges. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10028MEDIUMglib-networking GnuTLS Certificate Validation Denial-of-Service
- CVE-2026-41150MEDIUMMermaid Gantt Chart DoS via Excludes Attribute
- CVE-2026-44740MEDIUMBilly Go Library Denial-of-Service via Input Validation Flaws
- CVE-2026-46146MEDIUMLinux Kernel USB Audio Infinite Loop DoS Vulnerability
- CVE-2026-46314MEDIUMLinux Kernel DRM v3d Infinite Loop DoS Vulnerability
- CVE-2025-71319HIGHimage-size Denial of Service via Malformed JXL/HEIF Images
- CVE-2025-71329HIGHInfinite Loop DoS in image-size Library—Vulnerability Explanation & Patch Guidance
- CVE-2025-71330HIGHDenial of Service in image-size ICNS Parser